Code injection in RuoYi up to version 4.8.1 via the /monitor/cache/getnames endpoint allows authenticated remote attackers to inject arbitrary code through the fragment parameter with low impact to confidentiality, integrity, and availability. The vulnerability requires valid user authentication (PR:L per CVSS 4.0 vector) and has publicly available exploit code, though EPSS scoring at 0.08% percentile (22nd percentile) indicates low real-world exploitation probability despite public disclosure.
Unrestricted file upload in SourceCodester Client Database Management System 1.0 via the /user_leads.php endpoint in the Leads Generation Module allows authenticated remote attackers to upload arbitrary files. The vulnerability requires valid user credentials (PR:L in CVSS v4.0) but carries low confidentiality, integrity, and availability impact per the vector. Public exploit code exists, and EPSS score of 0.06% suggests minimal real-world exploitation despite public availability, likely due to the authenticated requirement limiting attack surface.
Improper authorization in Campcodes Advanced Voting Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/voters_edit.php, resulting in unauthorized modification of voter passwords. The vulnerability affects the Password Handler component and requires valid user credentials to exploit, limiting real-world risk despite public exploit availability. EPSS exploitation probability is low at 0.06 percentile, suggesting this flaw targets specific administrative scenarios rather than representing widespread attack potential.
Code injection in ZZCMS 2025 Backend Website Settings Module allows authenticated remote attackers to inject arbitrary code via the icp parameter in the stripfxg function (/admin/siteconfig.php), with limited confidentiality impact. Public exploit code is available, but exploitation requires high-privilege administrative access, significantly limiting practical attack surface despite network-accessible vector.
Stored HTML injection in Nozomi Networks CMC and Guardian Time Machine Snapshot Diff feature allows unauthenticated attackers to inject HTML tags into asset attributes across snapshots via specially crafted network packets. When a victim uses the Snapshot Diff feature and performs specific GUI actions, the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is mitigated by input validation and Content Security Policy. This vulnerability has not been confirmed as actively exploited, requires high attack complexity (multiple preconditions), and results in low integrity impact with limited scope.
Null pointer dereference in OFFIS DCMTK up to version 3.6.9 within the DcmQueryRetrieveIndexDatabaseHandle::startFindRequest and DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest functions in dcmqrscp causes denial of service. The vulnerability requires local access with low privilege level and results in availability impact through service crash. No public exploit code is confirmed, and EPSS exploitation probability is extremely low at 0.04%, indicating this is a low-priority reliability issue rather than an active security threat.