Arbitrary code execution via CSV/formula injection in RSA Archer (Archer IRM) 6.11.00204.10014 lets an attacker plant spreadsheet formulas through system input fields that are later written into exported CSV files; when a victim opens the export in Excel or a compatible application, the embedded formula runs on their workstation. Publicly available exploit code exists (a proof-of-concept GitHub repository), but the issue is disputed by the vendor and is not listed in CISA KEV. Impact depends entirely on a victim opening the malicious export and bypassing modern spreadsheet warnings, so real-world severity is lower than the 8.8 CVSS suggests.
Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rate limiting, or account lockout, letting remote attackers run automated password-guessing until a valid vendor credential is found. Success yields unauthorized access to a vendor's storefront administration account. A public write-up exists on GitHub, but there is no public exploit identified at time of analysis and no evidence of active exploitation; EPSS is low at 0.24% (15th percentile).
Insecure Direct Object Reference in CS-Cart 4.18.3 lets an authenticated shopper toggle the 'sticker' enable/disable setting on other users' accounts by tampering with the company_id (or similar object identifier) parameter in the user-profile request, because the server never verifies that the caller owns the referenced object. A public technical write-up documenting the request manipulation exists on GitHub, though the flaw is not in CISA KEV and carries a low EPSS score (0.26%, 17th percentile), indicating no confirmed active exploitation. The real-world impact is a low-severity authorization/integrity issue rather than the account takeover implied by the reported CVSS of 8.0.