Unauthenticated Bluetooth Low Energy (BLE) command execution against the Meatmeet Pro WiFi & Bluetooth Meat Thermometer firmware 1.0.34.4 allows any proximity attacker to issue shutdown, restart, or factory-reset commands without credentials, resulting in a denial of service. The clear-config command is particularly disruptive: it dissociates the device from its owner account, severing the connection to the Meatmeet cloud backend and requiring full device re-provisioning before temperature data can be received again. A public proof-of-concept is available via a GitHub gist, though EPSS sits at 0.27% (19th percentile), reflecting the niche consumer IoT footprint rather than low technical reproducibility.
Arbitrary file read in Adobe ColdFusion 2025.4, 2023.16, 2021.22 and earlier stems from an XML External Entity (XXE) flaw (CWE-611) that lets remote unauthenticated attackers retrieve sensitive files from the server. Adobe rates the issue 8.6 (CVSS 3.1) with a scope change, and no public exploit is identified at time of analysis, though the description notes exploitation depends on conditions beyond the attacker's control.
The CNI portmap plugin versions 1.6.0 through 1.8.0 contain a traffic interception vulnerability when configured with the nftables backend, allowing containers to receive and intercept all traffic destined for their configured HostPort regardless of destination IP address. This affects Linux Foundation's CNI Network Plugins, and an attacker with local privileges and control over a container can intercept traffic intended for other containers or services on the same node. The vulnerability has a published patch available in version 1.9.0, an extremely low EPSS score of 0.02% indicates minimal real-world exploitation likelihood, and there is no indication of active exploitation in the wild.
Insufficiently Protected Credentials in Adobe ColdFusion (versions 2025.4, 2023.16, and 2021.22 and earlier) enables unauthenticated remote attackers to gain limited unauthorized write access by exploiting improperly stored or transmitted credentials. The CVSS vector confirms network-accessible, zero-complexity exploitation with no privileges or user interaction required, producing limited integrity impact. Tagged as an Authentication Bypass vector, this vulnerability is distinct from a simple credential disclosure - it permits write operations, making it a meaningful integrity risk despite the moderate CVSS score. No public exploit or CISA KEV listing has been identified at time of analysis.
Cross-site request forgery in 1Panel versions 1.10.33 through 2.0.15 allows a remote attacker to change an authenticated user's panel name by luring them to a malicious webpage. The panel name management endpoint omits both anti-CSRF tokens and Origin/Referer header validation, so the victim's browser automatically includes valid session cookies when the forged request fires. No public exploit code and no CISA KEV listing exist at time of analysis; real-world impact is limited to low-integrity panel configuration tampering.
DijiDemi, a platform by Im Park Information Technology, contains an authorization bypass vulnerability (CWE-639) that allows authenticated low-privileged users to access data belonging to other users by manipulating user-controlled identifier keys. Affecting all versions through 28.11.2025, the flaw enables horizontal privilege escalation - an attacker with a valid low-privilege account can exploit trusted identifiers to read confidential data outside their authorized scope. No public exploit code exists and no KEV listing is present; with an EPSS of 0.03% (10th percentile), active exploitation is not currently anticipated.