CVLand versions 2.1.0 through 20251103 by CB Project Ltd. Co. permit authenticated attackers to bypass authorization controls via parameter injection, enabling elevated privilege actions and unauthorized access to sensitive data. The CVSS score of 9.9 reflects network-based exploitation with low complexity and scope change allowing high confidentiality and integrity impact. EPSS probability is 0.07% (22nd percentile), indicating relatively low observed exploitation likelihood despite the critical severity rating. No public exploit identified at time of analysis, though the vendor was notified and did not respond.
Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.
Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/contact.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/forgot-pass.php. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/sign-in.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.