Local privilege-agnostic code execution in Trimble SketchUp desktop 2025 for Windows occurs when its helper process sketchup_webhelper.exe loads an attacker-supplied libcef.dll from an insecure search path (CWE-427). A local attacker who can drop a crafted DLL into a directory searched by the helper gains full confidentiality, integrity, and availability impact in the context of the running process. No public exploit identified in the provided data, though a third-party technical writeup (yawataa.github.io) documenting the issue exists; EPSS is low at 0.17% (7th percentile), indicating negligible measured exploitation activity.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.6.27.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting Elementor Widgets consulting-elementor-widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through <= 1.4.2.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting consulting allows PHP Local File Inclusion.This issue affects Consulting: from n/a through < 6.7.5.
Authentication cache collision in Dovecot mail server allows remote attackers to gain unauthorized access to other users' accounts under specific caching configurations. When passdb/userdb caching is enabled, certain drivers incorrectly use identical cache keys for multiple distinct users, causing authentication data from one user to be applied to subsequent login attempts by different users. This vulnerability enables attackers to authenticate as other users after the legitimate user's credentials are cached, with no public exploit identified at time of analysis. Despite low EPSS probability (0.03%), the network-accessible attack vector and potential for unauthorized email access warrants immediate remediation in environments using affected caching configurations.
Configuration file manipulation in ELOG electronic logbook system allows authenticated attackers to trigger denial of service by modifying or overwriting the configuration file. If the rarely-used execute facility is enabled via '-x' command line flag, the vulnerability escalates to remote code execution on the underlying host. Vendor patches are available via Bitbucket commits 7092ff6 and f81e569. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. The 7.1 CVSS 4.0 score reflects high availability impact and low integrity impact under default configurations, with significantly higher risk in non-default deployments using the execute facility.