PoC Week 2026-04-13
The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.
For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. I don’t vouch for any links in this list: follow them with caution.
CVE-2026-5281
- Severity: 8.8 HIGH
- Impacted Products: Google Chrome
- Description: Google Chrome is affected by a use-after-free vulnerability in Dawn, the underlying WebGPU implementation, which could allow for arbitrary code execution. The flaw is triggered when the application attempts to access memory that has already been deallocated.
- Remediation:
- More Info: NVD - CVE-2026-5281
- PoC:
CVE-2025-30208 NEW
- Severity: 5.3 MEDIUM
- Impacted Products: Vite
- Description: Vite is affected by an arbitrary file read vulnerability in its development server component that allows for the unauthorized retrieval of sensitive files. This flaw exists due to a bypass in the filesystem access restrictions when processing specific query parameters.
- Remediation:
- More Info: NVD - CVE-2025-30208
- PoC:
CVE-2026-33634
- Severity: 8.8 HIGH
- Impacted Products: Aqua Security Trivy v0.69.4, aquasecurity/trivy-action (versions 0.0.1 – 0.34.2), aquasecurity/setup-trivy (versions 0.2.0 – 0.2.6)
- Description: Aqua Security Trivy and its associated GitHub Actions were affected by a supply chain compromise where a threat actor published malicious releases containing embedded malware. This incident allowed for the execution of credential-stealing code within environments using the affected software.
- Remediation:
- More Info: NVD - CVE-2026-33634
- PoC:
CVE-2026-35616 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Fortinet FortiClientEMS 7.4.5, Fortinet FortiClientEMS 7.4.6
- Description: Fortinet FortiClientEMS is affected by an improper access control vulnerability that allows an unauthenticated attacker to execute arbitrary code or commands. This flaw exists in versions 7.4.5 through 7.4.6 and is accessible via crafted network requests.
- Remediation:
- More Info: NVD - CVE-2026-35616
- PoC:
CVE-2026-2699 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Progress ShareFile Storage Zones Controller (SZC)
- Description: Progress ShareFile Storage Zones Controller (SZC) is affected by an Execution After Redirect (EAR) vulnerability that allows unauthenticated attackers to access restricted configuration pages. This flaw can lead to unauthorized system configuration changes and remote code execution.
- Remediation:
- More Info: NVD - CVE-2026-2699
- PoC:
CVE-2026-34841 NEW
- Severity: 8.8 HIGH
- Impacted Products: Axios 1.14.1, Axios 0.30.4, plain-crypto-js@4.2.1
- Description: Axios versions 1.14.1 and 0.30.4 are affected by a supply chain attack where a compromised maintainer account was used to inject a malicious dependency. This dependency, plain-crypto-js, functions as a cross-platform remote access trojan (RAT) dropper targeting Windows, macOS, and Linux systems.
- Remediation:
- More Info: NVD - CVE-2026-34841
- PoC:
CVE-2026-34156
- Severity: 9.9 CRITICAL
- Impacted Products: NocoBase versions prior to 2.0.28
- Description: NocoBase is affected by a sandbox escape vulnerability in its Workflow Script Node that allows authenticated attackers to achieve remote code execution. This flaw occurs because the application improperly exposes host-realm objects within the Node.js sandbox environment.
- Remediation:
- More Info: NVD - CVE-2026-34156
- PoC:
CVE-2026-31027 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: TOTOlink A3600R v5.9c.4959
- Description: TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig interface of /lib/cste_modules/app.so. The vulnerability occurs because the rootSsid parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code execution or denial of service.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-31027
- PoC:
CVE-2026-30643 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: DedeCMS 5.7.118
- Description: An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-30643
- PoC:
CVE-2026-29014 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: MetInfo CMS 7.9.0 through 8.1.0
- Description: MetInfo CMS versions 7.9.0 through 8.1.0 are affected by an unauthenticated PHP code injection vulnerability in the WeChat API module that allows for remote code execution. This flaw occurs because the application fails to properly sanitize user-supplied XML data before processing it through internal caching mechanisms.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-29014
- PoC:
CVE-2026-28373 NEW
- Severity: 9.6 CRITICAL
- Impacted Products: Stackfield Desktop App before 1.10.2
- Description: The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim’s filesystem.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-28373
- PoC:
CVE-2026-0740 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Ninja Forms - File Uploads plugin for WordPress 3.3.26, Ninja Forms - File Uploads plugin for WordPress 3.3.25, Ninja Forms - File Uploads plugin for WordPress 3.3.27
- Description: The Ninja Forms - File Uploads plugin for WordPress is affected by an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution. This issue exists in all versions of the plugin up to and including 3.3.26.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-0740
- PoC:
CVE-2025-54328 NEW
- Severity: 10.0 CRITICAL
- Impacted Products: Samsung Mobile Processor, Wearable Processor, Modem Exynos 980, Exynos 990, Exynos 850
- Description: An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. A Stack-based Buffer Overflow occurs while parsing SMS RP-DATA messages.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2025-54328
- PoC:
CVE-2019-25687 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Pegasus CMS 1.0
- Description: Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionality. Attackers can send POST requests to the submit.php endpoint with malicious PHP code in the action parameter to achieve code execution and obtain an interactive shell.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2019-25687
- PoC:
CVE-2018-25254 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: NICO-FTP 3.0.1.19
- Description: NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Attackers can connect to the FTP service and send oversized data in response handlers to overwrite SEH pointers and redirect execution to injected shellcode.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2018-25254
- PoC:
CVE-2016-20052 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Snews CMS 1.7
- Description: Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Attackers can upload malicious PHP files through the multipart form-data upload endpoint and execute them by accessing the uploaded file path to achieve remote code execution.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2016-20052
- PoC:
References
This list was scraped from the quite amazing and highly recommended newsletters below:
Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.