Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 allow anyone who can reach the database port to authenticate with full read/write access to the backend datastore. Publicly available exploit code exists, though EPSS remains low (0.81%) and the vendor states the database port is not network-exposed by default in 1.0.1 and later, limiting realistic reach. There is no public exploit identified as actively used in the wild (not in CISA KEV).
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a through < 3.6.
Remote code execution in Mozilla Firefox via use-after-free in Disability Access APIs allows unauthenticated network attackers to compromise browser integrity with high impact. The vulnerability (CWE-416) affects Firefox versions prior to 146.0.1 and requires no user interaction or special privileges. With CVSS 9.8 (Critical) but low EPSS (0.07%, 21st percentile), real-world exploitation probability remains limited despite theoretical severity. No public exploit identified at time of analysis, and vendor-released patch 146.0.1 available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mmetrodw tPlayer tplayer-html5-audio-player-with-playlist allows SQL Injection.This issue affects tPlayer: from n/a through <= 1.2.1.6.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1.
Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3.
Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.