SQL injection in Simple Stock System 1.0 via the Username parameter in /checkuser.php allows authenticated remote attackers to manipulate database queries with low impact to confidentiality, integrity, and availability. The CVSS 4.0 vector (PR:L) indicates login is required, but an EPSS score of 0.05% and very low CVSS base of 2.1 suggest minimal real-world exploitation risk despite public exploit availability.
Reflected cross-site scripting (XSS) in xiweicheng Teamwork Management System up to version 2.28.0 allows high-privilege users to inject malicious scripts via the content parameter in the /admin/blog/comment/create endpoint. The vulnerability requires admin authentication and user interaction (UI:P), limiting real-world risk despite network accessibility. Publicly available exploit code exists, though EPSS scoring (0.06%, 18th percentile) and CVSS 1.9 indicate low actual exploitation probability due to high privilege requirements.
Installed app enumeration via permissions bypass in Apple operating systems allows a locally authenticated app to discover what other applications a user has installed through insufficient access controls. Affects iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Tahoe 26.1 and earlier, tvOS 26.1 and earlier, visionOS 26.1 and earlier, and watchOS 26.1 and earlier. The vulnerability has a low CVSS score (3.3) with extremely low exploitation probability (EPSS 0.02%) and no public exploit identified at time of analysis.
Local apps on Apple devices can access a user's Safari browsing history due to insufficient data redaction in system logging, affecting iOS, iPadOS, macOS Tahoe, and watchOS prior to version 26.2. An attacker with local app execution privileges can extract sensitive Safari history from system logs without user interaction. This vulnerability carries a 3.3 CVSS score with minimal real-world exploitation probability (EPSS 0.01%) and no known public exploits.
Safari and Apple operating systems contain a race condition that crashes the rendering process when processing maliciously crafted web content, affecting Safari 26.2 and earlier, iOS 18.7.3 and earlier, iPadOS 18.7.3 and earlier, macOS Tahoe 26.2 and earlier, tvOS 26.2 and earlier, visionOS 26.2 and earlier, and watchOS 26.2 and earlier. The vulnerability requires user interaction (clicking a malicious link or visiting a hostile website) and has high attack complexity, resulting in denial of service through process crash rather than data compromise. No public exploit code has been identified, EPSS exploitation probability is very low at 0.12%, and Apple has released patched versions across all affected platforms.
ZZCMS 2025 stores sensitive user data in cleartext within the User Data Storage Module at /reg/user_save.php, allowing remote attackers with high-level privileges to retrieve unencrypted credentials or personal information from disk. The vulnerability has a published exploit available, though the extremely low EPSS score (0.02%) and requirement for authenticated high-privilege access suggest minimal real-world exploitation risk despite public proof-of-concept availability.