Skip to content
Threat Feed

Tag

Web-Exploitation

7 briefs RSS
critical advisory

9routers Database Exposure and Takeover via Insecure API

A critical vulnerability (CVE-2026-55500) in 9routers versions <= 0.4.71 allows authenticated attackers with a valid JWT token to export the complete database containing plaintext credentials and secrets, and to import a modified database, leading to full system takeover and credential theft.

9router <= 0.4.71 web-exploitation data-exfiltration credential-access persistence impact
1r 6t 1i
high advisory

Gitea: Multiple Vulnerabilities Leading to XSS, Info Disclosure, and File Manipulation

An attacker can exploit multiple unpatched vulnerabilities in Gitea to bypass security measures, disclose sensitive information, perform Cross-Site Scripting (XSS) attacks, and manipulate files, posing a high risk to self-hosted Git instances.

Gitea web-exploitation vulnerability
4t
high advisory

CVE-2026-14747: SQL Injection in code-projects Real State Services 1.0

A high-severity SQL Injection vulnerability, CVE-2026-14747, exists in the /addprojectsale.php file of code-projects Real State Services 1.0, allowing remote unauthenticated attackers to manipulate the 'amen' argument for arbitrary SQL query execution, leading to data compromise or unauthorized access.

Real State Services 1.0 sql-injection web-exploitation cve php real-state
1r 1t 1c
high advisory

CVE-2026-14744: Remote SQL Injection in code-projects Real State Services 1.0

A critical SQL injection vulnerability (CVE-2026-14744) has been found in code-projects Real State Services version 1.0. The flaw resides in an unknown function within the /normalHomeRent.php file, where manipulating the 'loc' argument allows for remote SQL injection, and a public exploit has been released, posing an immediate threat to affected systems.

Real State Services 1.0 web-exploitation sql-injection cve-2026-14744 initial-access data-exfiltration
1r 4t 1c 6i
high advisory

CVE-2026-14737: Hanwang e-Face General Management Platform SQL Injection

A remote SQL injection vulnerability (CVE-2026-14737) affects Hanwang e-Face General Management Platform version 6.3.5.4, specifically within the `/sysAuthStr/querySysAuthStr.do` file, triggered by manipulating argument order, allowing remote attackers to potentially gain unauthorized access to or modify database contents with a publicly available exploit.

e-Face General Management Platform 6.3.5.4 sql-injection web-exploitation vulnerability cve hanwang
1r 1t 1c
medium advisory

Web Server Cloud Metadata SSRF Exploitation

Attackers are actively exploiting Server-Side Request Forgery (SSRF) vulnerabilities in public-facing web applications to access cloud instance metadata services, such as those on AWS, GCP, and Azure, to harvest temporary credentials and sensitive instance details.

AWS +8 ssrf cloud-security web-exploitation credential-access initial-access webserver
1r 2t 7i
high advisory

Steeltoe Host Header Bypass Vulnerability (CVE-2026-50194)

An unauthenticated remote attacker can bypass port isolation in Steeltoe applications configured with `Management:Endpoints:Port` by spoofing the Host HTTP header, allowing access to all actuator endpoints (CVE-2026-50194).

Steeltoe.Management.Endpoint <= 4.1.0 +1 vulnerability web-exploitation cve dotnet bypass
1r 2t 1c