Authentication bypass in Felan Framework WordPress plugin versions up to 1.1.4 enables unauthenticated attackers to impersonate any user account registered via Facebook or Google social login. Hardcoded passwords in fb_ajax_login_or_register and google_ajax_login_or_register functions allow complete account takeover of affected users without requiring credentials. Exploitable remotely without user interaction. CVSS 9.8 Critical severity. No public exploit identified at time of analysis.
Reflected XSS in Ilevia EVE X1 Server firmware (all versions through 4.7.18.0.eden) exposes unauthenticated network attackers to client-side code execution by injecting malicious payloads via the index.php endpoint on port 8080. A publicly available proof-of-concept exploit exists (ZSL-2025-5961), raising the practical risk above the 5.1 CVSS score alone would suggest. Critically, Ilevia has formally declined to issue a patch, leaving all deployed devices permanently unmitigated at the firmware level - the only vendor-sanctioned control is network segmentation.
PHP object injection in Vfront 0.99.52's mexcel.php endpoint exposes an unauthenticated POST parameter directly to unserialize() without class restrictions, enabling remote attackers to instantiate arbitrary PHP objects. Depending on exploitable gadget chains present in the Vfront codebase or its PHP dependencies, this can escalate to remote code execution, SQL injection, path traversal, or denial of service. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.40% (32nd percentile), consistent with the absence of a CISA KEV listing.
Hardcoded credentials embedded in ATLAS-EPIC (GitHub project gsiegel14/ATLAS-EPIC, commit f29312c, 2025-05-26) expose authentication secrets directly in publicly accessible source code, enabling authentication bypass. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms that any network-reachable instance can be accessed by an unauthenticated attacker who reads the repository and extracts the embedded credentials. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Improper access controls in Sismics Teedy up to version 1.11 allow authenticated remote attackers to manipulate the /api/file endpoint, leading to unauthorized information disclosure. The vulnerability has publicly available exploit code and affects all versions through 1.11, though the vendor has not responded to disclosure notifications. With an EPSS score of 0.05% and low CVSS impact severity despite network accessibility, real-world exploitation appears limited to scenarios where attackers already possess valid authentication credentials.
Cross-site scripting (XSS) in Apeman ID71 EN75.8.53.20 allows authenticated remote attackers to inject malicious scripts via the alias parameter in /set_alias.cgi, requiring user interaction for payload execution. Publicly available exploit code exists, but EPSS score of 0.03% and vendor non-responsiveness suggest limited real-world exploitation despite confirmed POC availability.
Out-of-bounds read in GNU Binutils 2.45 linker (ld) allows local authenticated attackers to read adjacent memory via manipulation of the vfinfo function in ldmisc.c, potentially disclosing sensitive information. Public exploit code is available, though the EPSS score of 0.03% indicates minimal real-world exploitation probability. The CVSS severity of 1.9 reflects limited impact (availability only) and requirement for local authenticated access.
GNU Binutils 2.45 allows local privilege-escalable information disclosure through an unchecked return value in the tg_tag_type function of prdbg.c, enabling authenticated local attackers to trigger unvalidated memory reads that leak sensitive data. CVSS score of 1.9 reflects minimal impact (availability only), though publicly available exploit code exists; EPSS 0.02% indicates negligible real-world exploitation probability despite POC availability.