Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously crafted web content, with Apple confirming active exploitation on Intel-based Mac systems. The flaw is confirmed actively exploited (CISA KEV) and carries a CVSS 8.8 score requiring only user interaction (visiting a malicious page) to achieve remote code execution. EPSS at 1.55% (81st percentile) is moderate but the KEV listing signals real-world targeted abuse against Apple's WebKit-based browsing stack.
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
D-LINK DI-8400 v16.07.26A1 was discovered to contain multiple remote command execution (RCE) vulnerabilities in the msp_info_htm function via the flag and cmd parameters. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Incorrect access control in eSoft Planner 3.24.08271-USA allow attackers to view all transactions performed by the company via supplying a crafted web request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue in the Instructor Appointment Availability module of eSoft Planner 3.24.08271-USA allows attackers to cause a Denial of Service (DoS) via a crafted POST request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
**UNSUPPORTED WHEN ASSIGNED** The improper authentication vulnerability in the Zyxel P-6101C ADSL modem firmware version P-6101CSA6AP_20140331 could allow an unauthenticated attacker to read some. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An arbitrary file upload vulnerability in the component /admin/friendlink_edit of DedeBIZ v6.3.0 allows attackers to execute arbitrary code via uploading a crafted file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows Object Injection.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows Privilege Escalation.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in Buying Buddy Buying Buddy IDX CRM buying-buddy-idx-crm allows Object Injection.2.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in Audimex EE versions 15.1.20 and earlier allowing a remote attacker to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal: '.../...//' vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path Traversal.6.1. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_remove_file_attachment(). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The Image Optimizer, Resizer and CDN - Sirv plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the filename. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in officialprocoders nBlocks nblocks allows PHP Local File Inclusion.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Buffer overflow vulnerability in OllyDbg, version 1.10, which could allow a local attacker to execute arbitrary code due to lack of proper bounds checking. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A buffer overflow issue was addressed with improved memory handling. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A buffer overflow issue was addressed with improved memory handling. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Navneil Naicer Bootscraper wp-bootscraper allows PHP Local File Inclusion.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in webcodingplace Ultimate Classified Listings ultimate-classified-listings allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpopal Opal Woo Custom Product Variation opal-woo-custom-product-variation allows Path Traversal.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in MBed OS 6.16.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
An issue was discovered in MBed OS 6.16.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
An issue was discovered in MBed OS 6.16.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in MBed OS 6.16.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in MBed OS 6.16.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Local File Inclusion vulnerability in Vegam Solutions Vegam 4i versions 6.3.47.0 and earlier allows a remote attacker to obtain sensitive information through the print label function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in Moodle. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There exists a code execution vulnerability in the Car App Android Jetpack Library. Rated high severity (CVSS 7.3). No vendor patch available.
The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
File Upload vulnerability in change-image.php in Anuj Kumar's Boat Booking System version 1.0 allows local attackers to upload a malicious PHP script via the Image Upload Mechanism parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor extensions-for-elementor allows Reflection Injection.0.40. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sandeep Verma HTML5 Lyrics Karaoke Player html5-lyrics-karaoke-player allows Reflected XSS.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Weather Atlas Weather Atlas Widget weather-atlas allows Reflected XSS.0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brainvireinfo Dynamic URL SEO dynamic-url-seo allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.