Unauthenticated access to live video and device data affects Xiongmai XM530-based IP cameras running firmware V5.00.R02.000807D8.10010.346624.S with ONVIF 21.06, where the ONVIF service fails to enforce authentication on 31 endpoints. Any remote attacker who can reach the camera's ONVIF port can pull sensitive device information and view real-time RTSP/ONVIF video streams without credentials. Publicly available exploit code exists, though the flaw is not listed in CISA KEV and EPSS is modest (0.85%, 54th percentile).
Full administrative takeover of ClipBucket 5.5.2 is possible because the video-sharing platform ships with hardcoded default administrative credentials, letting any unauthenticated remote attacker sign into the admin panel and control the entire application. Publicly available exploit material (a Medium write-up) documents the attack, and the CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N). This is a network-reachable, no-interaction flaw, though EPSS is modest at 0.57% (43rd percentile) and it is not currently listed in CISA KEV.
Stored cross-site scripting leading to code execution in Frappe Framework 15.89.0 (and the ERPNext application built on it) lets attackers upload a crafted XML/SVG file through the Attachments module that runs attacker-controlled script when a victim views it. Tagged as XSS/RCE/File Upload with a publicly available exploit code, though EPSS remains low at 0.44% (35th percentile) and it is not on CISA KEV. The CVSS 9.6 rating reflects a scope-changing, user-interaction-dependent attack rather than direct server-side compromise.
Arbitrary code execution in Umbraco CMS 16.3.3 is claimed via upload of a crafted PDF file that abuses insufficient file-type validation (CWE-434), potentially leading to server-side code execution. The finding is explicitly DISPUTED by Umbraco, which states that enforcing upload validation is the deploying administrator's responsibility per documentation, mirroring the earlier CVE-2023-49279. No public exploit is confirmed and EPSS is low (0.50%, 39th percentile), so despite the nominal CVSS 10.0 this reflects a contested, configuration-dependent condition rather than a proven turnkey RCE.