PoC Week 2026-04-27
The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.
For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. I don’t vouch for any links in this list: follow them with caution.
CVE-2026-32201 NEW
- Severity: 6.5 MEDIUM
- Impacted Products: Microsoft SharePoint
- Description: Microsoft SharePoint is affected by an improper input validation vulnerability that allows a remote, unauthorized attacker to perform spoofing. This flaw enables attackers to view sensitive information and make unauthorized changes to data.
- Remediation:
- More Info: NVD - CVE-2026-32201
- PoC:
CVE-2026-33824
- Severity: 9.8 CRITICAL
- Impacted Products: Microsoft Windows, IKE version 2 (IKEv2)
- Description: Microsoft Windows is affected by a double free vulnerability in the Internet Key Exchange (IKE) Service Extensions that allows for remote code execution. An unauthenticated attacker can trigger this flaw by sending specially crafted packets to a target system where IKE version 2 (IKEv2) is enabled.
- Remediation:
- More Info: NVD - CVE-2026-33824
- PoC:
CVE-2026-40175
- Severity: 10.0 CRITICAL
- Impacted Products: Axios < 1.15.0
- Description: Axios is affected by a prototype pollution gadget vulnerability in versions prior to 1.15.0 that allows for remote code execution or full cloud environment compromise. This flaw enables attackers to escalate prototype pollution vulnerabilities found in other third-party dependencies by leveraging Axios as an exploitation gadget.
- Remediation:
- Security Bulletin: IBM App Connect Enterprise is vulnerable to a specific “Gadget” attack chain and proxy bypass and SSRF vulnerabilities due to Node js module axios (CVE-2025-62718 & CVE-2026-40175)
- RHSA-2026:8483 - Security Advisory - Red Hat Customer Portal
- RHSA-2026:8484 - Security Advisory - Red Hat Customer Portal
- More Info: NVD - CVE-2026-40175
- PoC:
CVE-2026-39842 NEW
- Severity: 9.9 CRITICAL
- Impacted Products: OpenRemote 1.21.0 and below
- Description: OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn’s ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for an…
- Remediation:
- More Info: NVD - CVE-2026-39842
- PoC:
CVE-2026-39813 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Fortinet FortiSandbox 4.4.0 through 4.4.8, Fortinet FortiSandbox 5.0.0 through 5.0.5
- Description: Fortinet FortiSandbox is affected by a path traversal vulnerability in its JRPC API that allows for privilege escalation. This flaw enables unauthenticated attackers to bypass authentication mechanisms using specially crafted HTTP requests.
- Remediation:
- More Info: NVD - CVE-2026-39813
- PoC:
CVE-2026-39808
- Severity: 9.8 CRITICAL
- Impacted Products: Fortinet FortiSandbox 4.4.0 through 4.4.8
- Description: Fortinet FortiSandbox is affected by an OS command injection vulnerability in its web management interface that allows for arbitrary command execution. This flaw exists in versions 4.4.0 through 4.4.8 and can be triggered via specially crafted HTTP requests.
- Remediation:
- More Info: NVD - CVE-2026-39808
- PoC:
CVE-2026-35031
- Severity: 9.9 CRITICAL
- Impacted Products: Jellyfin < 10.11.7
- Description: Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Ex…
- Remediation:
- More Info: NVD - CVE-2026-35031
- PoC:
CVE-2026-31908 NEW
- Severity: 9.1 CRITICAL
- Impacted Products: Apache APISIX 2.12.0 through 3.15.0
- Description: Apache APISIX is affected by a header injection vulnerability in the forward-auth plugin that allows remote attackers to inject malicious HTTP headers. This flaw exists due to improper sanitization of input when certain configurations are used in versions 2.12.0 through 3.15.0.
- Remediation:
- More Info: NVD - CVE-2026-31908
- PoC:
CVE-2026-20180 NEW
- Severity: 9.9 CRITICAL
- Impacted Products: Cisco Identity Services Engine (ISE) versions prior to 3.4.0 Patch 4
- Description: Cisco Identity Services Engine (ISE) is affected by multiple vulnerabilities, including path traversal, that allow an authenticated, remote attacker with administrative privileges to execute arbitrary commands on the underlying operating system. These flaws are caused by insufficient validation of user-supplied input within the application’s administrative interface.
- Remediation:
- More Info: NVD - CVE-2026-20180
- PoC:
References
This list was scraped from the quite amazing and highly recommended newsletters below:
Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.