CVE-2026-33232: AutoGPT Platform Unauthenticated DoS via Disk Exhaustion
AutoGPT Platform backend download endpoint leaves persistent temp files, allowing unauthenticated attackers to exhaust disk space and crash the service.
Achievements
CVE-2026-26213: thingino-firmware Unauthenticated Command Injection in Captive Portal
Unauthenticated OS command injection in the WiFi captive portal API endpoint (api.cgi) of thingino-firmware allows any device on the camera's AP to execute arbitrary commands as root, achieving full device compromise.
CVE-2026-32709: PX4 Autopilot MAVLink FTP Unauthenticated Path Traversal
An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows reading, writing, and deleting arbitrary files on the flight controller.
CVE-2026-32713: PX4 Autopilot MAVLink FTP Session Validation Logic Error
A logic error in the session validation of PX4's MAVLink FTP implementation allows operations on invalid file descriptors and session isolation bypass.
CVE-2026-28495: GetSimpleCMS-CE CSRF to Remote Code Execution
A CSRF vulnerability in the massiveAdmin plugin for GetSimpleCMS-CE allows an unauthenticated attacker to achieve RCE by overwriting gsconfig.php.
CVE-2026-26022: Gogs Stored XSS via data: URI in HTML Sanitizer
Stored Cross-Site Scripting in Gogs self-hosted Git service via data: URI scheme allowed by the HTML sanitizer, enabling JavaScript execution through malicious links.
CVE-2026-2811: Ajaxify Comments Unauthenticated HTTP Header Injection
Unauthenticated HTTP Header Injection in the Ajaxify Comments WordPress plugin (< 3.2) due to insufficient input sanitization, allowing attackers to inject arbitrary HTTP headers.
CVE-2026-28423: Statamic CMS Server-Side Request Forgery via Glide
Server-Side Request Forgery in Statamic CMS's Glide image manipulation proxy allows unauthenticated attackers to make the server send HTTP requests to arbitrary URLs, including internal services and cloud metadata endpoints.
CVE-2026-27796: Homarr Unauthenticated Integration Metadata Leak
Unauthenticated information disclosure in Homarr's integration.all tRPC endpoint exposes internal service URLs, integration names, and service types to unauthenticated users in versions ≤ 1.53.2.
CVE-2026-27824: Calibre IP Ban Bypass via X-Forwarded-For Spoofing
IP-based brute-force protection in Calibre's Content Server can be completely bypassed by spoofing the X-Forwarded-For header, allowing unlimited password guessing attempts in versions ≤ 9.3.1.
CVE-2026-27728: OneUptime Command Injection
OS Command injection vulnerability in OneUptime's Probe NetworkPathMonitor allows authenticated users to execute arbitrary commands via unsanitized traceroute destinations.
CVE-2026-26331: yt-dlp Arbitrary Command Injection via --netrc-cmd
Arbitrary command injection in yt-dlp's --netrc-cmd option allows an attacker to execute OS commands via a maliciously crafted URL, exploitable through HTTP redirects.
CVE-2026-25731: Calibre Templite SSTI to Arbitrary Code Execution
Server-Side Template Injection vulnerability in Calibre's Templite engine allows arbitrary Python code execution via user-supplied HTML export templates in versions ≤ 9.1.0.
HotelDruid 2.2.3: SQL Injection in disponibilita.php
SQL injection vulnerability in HotelDruid 2.2.3 via unsanitized inizioperiodo and fineperiodo parameters in disponibilita.php, allowing full database extraction.
CVE-2024-41570: Havoc C2 Authenticated RCE via SSRF Chain
Authenticated Remote Code Execution in Havoc C2 framework by chaining SSRF with command injection to execute arbitrary commands on the teamserver.