Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repository field during project creation. A regular member can achieve root-level code execution on the Coolify host with scope change. PoC available.
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with basic access can extract the key, SSH to the server as root, and fully compromise the Coolify instance and all managed infrastructure. PoC available.
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an application from an attacker-controlled repository using the Docker Compose build pack, the attacker achieves root code execution on the Coolify instance. PoC available, patch available.
Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operations, leading to resource exhaustion or information disclosure if backups are stored in accessible locations. PoC available, patches available.
Themify Shopo WordPress theme (through 1.1.4) allows authenticated users to upload web shells. Despite requiring low-level authentication, the scope change to CVSS 9.9 means any subscriber account can achieve full server compromise.
WHILL Model C2 electric wheelchairs and Model F power chairs accept Bluetooth connections without authentication. An attacker within Bluetooth range can pair with the device and issue movement commands, override speed restrictions, and change configuration – creating a direct physical safety hazard for the user.
Centreon Infra Monitoring's AWIE export module contains SQL injection accessible to unauthenticated users. Combined with CVE-2025-15026 (missing auth on import), the AWIE module has both unauthenticated data extraction and unauthorized configuration access. Patch available.
Centreon Infra Monitoring's centreon-awie module lacks authentication on critical import functions, allowing unauthenticated attackers to access functionality that should be restricted by ACLs. Affects multiple Centreon versions. Patch available.
Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality.
Waituk Entrada WordPress theme (through 5.7.7) contains blind SQL injection with scope change, allowing unauthenticated database extraction beyond the theme's own data.
Infility Global WordPress plugin (through 2.14.48) contains SQL injection with scope change, enabling unauthenticated database extraction beyond the plugin's own data. No patch available.
Amazon Native Shopping Recommendations WordPress plugin (through 1.3) contains SQL injection that allows unauthenticated attackers to extract database contents with scope change. Abandoned plugin with no expected patch.
Local file inclusion and path traversal in the Node.js builds of jsPDF (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to version 4.0.0 lets an attacker who controls the path argument passed to loadFile, addImage, html, or addFont read arbitrary files from the host filesystem, with the file contents embedded verbatim into the generated PDF. Applications that forward unsanitized user input into these methods leak secrets such as /etc/passwd, configuration files, or private keys to anyone who can request a PDF. No public exploit identified at time of analysis; EPSS risk is very low (0.02%, 6th percentile) and the issue is not in CISA KEV.
Media File Renamer WordPress plugin (through 5.7.7) by Meow Apps allows administrators to upload files with dangerous types, achieving OS-level code execution with scope change. While admin access is required, the scope break makes this critical.
Passy v1.6.3 password manager allows authenticated administrators to execute arbitrary OS commands via crafted HTTP requests. The scope change from application to OS makes this critical despite requiring high privileges.
Samsung Exynos processors (multiple models including 980, 990, 2100, 2200, 2400) and modems have an out-of-bounds write via malformed NAS (Non-Access Stratum) packets. This baseband vulnerability can be exploited over the cellular network without user interaction, potentially affecting millions of devices.