Command injection in D-Link DIR-817L router firmware up to version 1.04B01 allows authenticated remote attackers to execute arbitrary system commands via the lxmldbc_system function in ssdpcgi, with publicly available exploit code disclosed and EPSS risk at 0.36% suggesting limited real-world exploitation despite network accessibility.
Stored or reflected cross-site scripting (XSS) vulnerability in PHPGurukul Online Banquet Booking System 1.0 allows remote attackers to inject malicious scripts via the user_login or userpassword parameters in /admin/login.php. User interaction is required for exploitation. Publicly available exploit code exists, and EPSS score of 0.10% indicates low real-world exploitation probability despite public disclosure.
SQL injection in PHPGurukul Online Banquet Booking System 1.0 allows authenticated remote attackers to manipulate the viewid parameter in /admin/view-user-queries.php, enabling database query manipulation with limited confidentiality and integrity impact. Despite a critical severity classification in the original report, the CVSS 4.0 score of 2.1 reflects low real-world risk due to required authentication and restricted impact scope. Public exploit code is available, but the low EPSS score (0.08th percentile) indicates minimal likelihood of widespread exploitation.
SQL injection in fuyang_lipengjun platform allows authenticated remote attackers to manipulate beanName and methodName parameters in the queryPage function of ScheduleJobLogController.java, resulting in limited confidentiality, integrity, and availability impact. The CVSS score of 2.1 reflects the requirement for prior authentication and the constrained scope of impact; however, exploitation probability is marked as possible (E:P in CVSS v4.0 vector), and publicly available exploit code exists. The rolling-release model means no traditional version numbers are tracked, with the vulnerability confirmed present up to commit ca9aceff6902feb7b0b6bf510842aea88430796a.
SQL injection in the SysLogController of fuyang_lipengjun platform allows authenticated remote attackers to execute arbitrary SQL queries via the key parameter, with publicly available exploit code disclosed. Despite a critical classification, the CVSS 4.0 score of 2.1 and low EPSS percentile (22%) indicate limited real-world impact due to requirement for prior authentication and low confidentiality/integrity scope; however, the public exploit and authenticated network access vector warrant monitoring.
SQL injection in fuyang_lipengjun platform allows authenticated remote attackers to execute arbitrary SQL queries via the beanName parameter in the queryPage function of ScheduleJobController.java. The CVSS score of 2.1 reflects limited confidentiality and integrity impact with authentication required, though publicly available exploit code exists. EPSS score of 0.07% (percentile 22%) suggests low real-world exploitation probability despite public POC availability.
Cross-site scripting (XSS) in PHPGurukul Taxi Stand Management System 1.0 allows remote attackers to inject malicious scripts via the searchdata parameter in /search.php. The vulnerability requires user interaction (clicking a malicious link) and has limited integrity impact. A publicly available proof-of-concept exists, though EPSS score of 0.07% suggests minimal real-world exploitation probability despite active public disclosure.
Reflected cross-site scripting (XSS) in PHPGurukul Taxi Stand Management System 1.0 allows remote attackers to inject arbitrary JavaScript via the searchdata parameter in /admin/search-autoortaxi.php. The vulnerability requires user interaction (clicking a malicious link) but no authentication. Publicly available exploit code exists, though EPSS score (0.07%) indicates low real-world exploitation probability relative to CVSS severity.
Authorization bypass in JPACookieShop (蛋糕商城JPA版) version 1.0 allows authenticated remote attackers to modify goods via the updateGoods function in GoodsController.java without proper privilege validation. The vulnerability has public exploit code available but carries low real-world risk due to a CVSS score of 2.1 (EPSS 0.06%), indicating exploitation is unlikely despite authenticated access requirements and public disclosure.
Stored cross-site scripting (XSS) in PHPGurukul Time Table Generator System 1.0 allows authenticated users to inject malicious scripts via the adminname parameter in /admin/profile.php, affecting other users who view the compromised admin profile. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting direct impact to integrity (VI:L), but publicly available exploit code demonstrates feasibility for authorized attackers to escalate privileges or perform actions on behalf of administrators.
Stored cross-site scripting (XSS) in PHPGurukul Online Banquet Booking System 1.0 allows authenticated remote attackers to inject malicious scripts via the searchdata parameter in /admin/booking-search.php, which are then reflected to other users viewing search results. The vulnerability requires user interaction (clicking a malicious link) and authenticated access to the admin panel, resulting in session hijacking or credential theft. Publicly available exploit code exists, though the EPSS score of 0.07% (percentile 21%) and low CVSS score of 2.0 suggest limited real-world exploitation likelihood due to the authentication and user interaction requirements.
Reflected cross-site scripting (XSS) in PHPGurukul Online Banquet Booking System 1.0 allows authenticated remote attackers to inject malicious scripts via the adminname parameter in /admin/admin-profile.php. The vulnerability requires user interaction (UI:P) to trigger payload execution but carries public exploit code, making it readily weaponizable despite the low CVSS score of 2.0 and minimal EPSS probability (0.07%).
Stored cross-site scripting (XSS) in PHPGurukul Taxi Stand Management System 1.0 allows authenticated users to inject malicious scripts via the adminname parameter in /admin/admin-profile.php, affecting application integrity. The vulnerability requires user interaction (UI:P per CVSS 4.0 vector) and an authenticated admin account (PR:L), but public exploit code exists and the risk is amplified by the admin-tier access context. EPSS exploitation probability is minimal at 0.05% percentile, suggesting limited real-world weaponization despite proof-of-concept availability.
Improper export of Android application components in Genshin Albedo Cat House App 1.0.2 allows local attackers with user privileges to access sensitive information through AndroidManifest.xml misconfigurations in the com.house.auscat component. The vulnerability requires local access and authenticated user privileges but carries minimal real-world risk due to low EPSS (0.02%) and the constraint of local-only exploitation.
Improper access control in Linksys EA6350 firmware 2.1.2 exposes the embedded vsftpd FTP service via a misconfigured chroot_local_user directive in a dynamically generated configuration file, allowing authenticated FTP users to traverse outside their intended jail and access sensitive system files. Affected users of this specific firmware version could face local privilege escalation or use of the device as a network pivot point for lateral movement into attached internal segments. No public exploit code has been confirmed, EPSS sits at 0.28% (20th percentile), and the device carries no CISA KEV listing, collectively suggesting limited real-world threat activity at this time.