Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.
BuilderEngine 3.5.0 contains a critical unrestricted file upload vulnerability in its elFinder 2.0 integration and jQuery File Upload plugin, allowing unauthenticated attackers to upload and execute arbitrary PHP files on the server, resulting in complete remote code execution (RCE) under the web server process context. The vulnerability is characterized by a CVSS 9.3 score with no authentication or user interaction required, making it immediately exploitable across network boundaries.
CryptoLog PHP edition (discontinued since 2009) contains a chained SQL injection and command injection vulnerability. An unauthenticated attacker can first bypass authentication via SQLi in login.php, then exploit command injection to gain shell access as the web server user.
Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/action API endpoint. The checkStreamUrl method passes the VIDEO parameter directly to cmd.exe without sanitization, enabling remote code execution on the media server.
Easy File Sharing HTTP Server version 7.2 contains a stack-based buffer overflow triggered by an oversized Email parameter in POST requests to /sendemail.ghp. Unauthenticated attackers can exploit this for remote code execution on the Windows server.
Mako Server versions 2.5 and 2.6 contain an unauthenticated OS command injection via the tutorial interface at examples/save.lsp. Attackers can send crafted PUT requests with arbitrary Lua os.execute() code that is persisted on disk and executed, achieving remote code execution on the embedded web server.
VICIdial call center software versions 2.9 RC1 through 2.13 RC1 contain an unauthenticated command injection in vicidial_sales_viewer.php when password encryption is enabled. The HTTP Basic Authentication password is passed directly to OS commands without sanitization, enabling remote code execution on the call center server.
Chall-Manager versions prior to v0.1.4 contain an unchecked decompression vulnerability (CWE-405) that allows unauthenticated attackers to trigger zip bomb attacks by uploading malicious scenario archives. This denial-of-service vulnerability has a CVSS 9.8 severity score due to complete system compromise potential (confidentiality, integrity, availability impact) combined with network-accessible attack surface. The vulnerability is mitigated in practice by deployment recommendations suggesting Chall-Manager be isolated within infrastructure, but network-adjacent attackers with access to the system can completely compromise it without authentication or user interaction.
A remote code execution vulnerability in Honeywell Experion PKS and OneWireless WDM (CVSS 9.4). Critical severity with potential for significant impact on affected systems.
A denial of service vulnerability in DiscordNotifications (CVSS 9.1) that allows sending requests. Critical severity with potential for significant impact on affected systems.
CVE-2025-53632 is a path traversal vulnerability (zip slip) in Chall-Manager v0.1.3 and earlier that allows unauthenticated attackers to write arbitrary files to the system when processing scenario zip archives. The vulnerability has a CVSS 9.1 severity score due to high integrity and availability impact, though real-world exploitation risk is partially mitigated by deployment recommendations to isolate Chall-Manager within internal infrastructure. A patch is available in v0.1.4 via commit 47d188f.
CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.