HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scripts when applications pass unsanitized user-controlled data as component children, with public exploit code already available. The vulnerability stems from a regression in Preact 10.26.5 that weakened protections against constructing Virtual DOM elements from malicious JSON payloads. Affected applications are vulnerable if they consume unvalidated external data without sanitization and lack additional mitigations like Content Security Policy.
Cross-Site Scripting (XSS) is present on the LoginID parameter on the /PSP/app/web/reg/reg_display.asp endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.76). Unsanitized user input is reflected in HTTP responses without proper HTML encoding or escaping. [CVSS 6.1 MEDIUM]
Mediawiki-Extensions-Uploadwizard versions up to 1.39 is affected by cross-site scripting (xss) (CVSS 6.1).
NiceGUI versions 2.22.0 through 3.4.1 contain a stored cross-site scripting vulnerability in the click event listener of ui.sub_pages that executes attacker-controlled JavaScript when users click malicious links on the page. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later immediately. The vulnerability requires user interaction but can impact confidentiality and integrity with network-accessible exploitation.
Cross-site scripting (XSS) in NiceGUI versions 2.13.0 through 3.4.1 allows attackers to execute arbitrary JavaScript in users' browsers when applications pass untrusted input to the ui.navigate.history.push() or ui.navigate.history.replace() functions due to improper string escaping in generated JavaScript. Public exploit code exists for this vulnerability, and developers using affected versions should upgrade to 3.5.0 or later, or avoid passing user-controlled data to these navigation helpers. Applications that only use these functions with trusted, hardcoded URLs are unaffected.
Mailpit versions 1.28.0 and earlier contain a server-side request forgery vulnerability in the /proxy endpoint that permits unauthenticated attackers to probe and access internal network resources and services. The endpoint insufficiently validates destination addresses, allowing requests to internal IP ranges despite scheme validation. Public exploit code exists for this vulnerability, which is resolved in version 1.28.1.
Facesentry Access Control System Firmware versions up to 5.7.0 is affected by cleartext transmission of sensitive information (CVSS 5.9).
Corpkit WordPress theme (through 2.0) allows unauthenticated web shell upload via unrestricted file type upload.
The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions up to, and including, 9.642. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. Additionally, the attacker can also delete files on the server such as database configuration files, subsequently...
Felan Framework for WordPress (through 1.1.3) allows authentication bypass through an alternate path, enabling unauthenticated admin access.
NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. [CVSS 9.8 CRITICAL]
V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. [CVSS 9.8 CRITICAL]
Newsletters WordPress plugin by Tribulant (through 4.11) is vulnerable to PHP object injection through deserialization of untrusted data, potentially leading to RCE via POP chains.
OPEXUS eCasePortal before 9.0.45.0 allows unauthenticated access to the Attachments.aspx endpoint with predictable formid values. Attackers can download, delete, or upload files without authentication.
SUSE Harvester virtualization environment (1.5.x, 1.6.x) exposes the OS default SSH login password when using the interactive installer. This affects all hosts provisioned through the interactive method, potentially compromising entire virtualization clusters.
Authlib is a Python library which builds OAuth and OpenID Connect servers. [CVSS 5.7 MEDIUM]
Intern Membership Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. [CVSS 5.4 MEDIUM]
Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.69). [CVSS 5.4 MEDIUM]
Soft Serve versions prior to 0.11.2 contain an authorization bypass in the LFS lock deletion endpoint that allows authenticated users to forcibly delete locks owned by other users by exploiting improper validation order. Any user with repository write access can leverage this vulnerability to disrupt collaborative workflows by removing locks created by teammates. A public exploit exists and patches are available.
Bokeh versions 3.8.1 and below allow attackers to bypass Origin validation in WebSocket connections by registering domains that suffix-match allowlisted domains (e.g., dashboard.corp.attacker.com for allowlist entry dashboard.corp), enabling unauthorized server interaction. Public exploit code exists for this vulnerability, which could allow attackers to access sensitive data or modify visualizations on behalf of victims. The issue is resolved in Bokeh 3.8.2.
A null pointer dereference in TOTOLINK WA1200 5.9c.2914's HTTP request handler (cstecgi.cgi) allows remote unauthenticated attackers to trigger a denial of service condition. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. A patch is not currently available, leaving affected devices vulnerable until an update is released.
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP authentication mechanism allows attackers to enumerate users, extract sensitive attributes, and target specific accounts. Public exploit code exists for this vulnerability. The issue is resolved in version 1.2.49 and later.
SQL injection in Parsl's visualization dashboard allows unauthenticated attackers to execute arbitrary database queries through unsafe string formatting of the workflow_id parameter. Public exploit code exists for this vulnerability, enabling potential data theft or database denial of service attacks against the monitoring infrastructure. The issue affects Parsl versions prior to 2026.01.05, which includes the fix.
Automotive Listings WordPress theme (through 18.6) has blind SQL injection enabling unauthenticated database extraction.
Felan Framework (through 1.1.3) also has SQL injection in addition to the auth bypass (CVE-2025-23504). Two critical vulnerabilities in the same plugin create a devastating attack chain.
Logging Redactor prior to version 0.0.6 fails to properly handle non-string data types during redaction operations, causing type conversion errors that can disrupt log formatting and integrity checks. Public exploit code exists for this vulnerability, allowing attackers to craft inputs that bypass the redaction mechanism or cause denial of service through malformed log output. Users of Logging Redactor should upgrade to version 0.0.6 or later, as no patch is currently available for affected earlier versions.
Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. [CVSS 5.3 MEDIUM]
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. [CVSS 5.3 MEDIUM]
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. [CVSS 5.3 MEDIUM]
NiceGUI versions 2.10.0 through 3.4.1 fail to properly release Redis connections when users open and close browser tabs, allowing unauthenticated attackers to exhaust the Redis connection pool and degrade service functionality. An attacker can repeatedly trigger connection leaks without authentication, causing storage errors and degraded performance once connection limits are reached. Public exploit code exists for this vulnerability, which is patched in version 3.5.0.
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. [CVSS 5.3 MEDIUM]
Ax1800 Firmware versions up to 4.2.0 is affected by improper restriction of excessive authentication attempts (CVSS 5.1).
Contentstudio WordPress plugin (through 1.3.7) allows unauthenticated web shell upload, enabling immediate server compromise.
Veeam allows Backup Operators to execute code as postgres via malicious interval or order parameters. Another operator-to-RCE escalation path with scope change.
Veeam allows Backup Administrators to execute code as postgres via a malicious password parameter. Scope change means OS-level compromise from application-level admin access.
Veeam allows Backup or Tape Operators to write files as root on the server. An operator-level role achieving root file write is a severe privilege escalation with scope change.
Blind SQL injection in CoreShop prior to version 4.1.8 allows authenticated administrators to extract sensitive database information through boolean-based or time-based attack techniques. The vulnerability is limited to information disclosure due to the application's read-only database permissions, preventing data modification or denial of service. Public exploit code exists for this vulnerability; administrators should upgrade to version 4.1.8 or later.
Remote code execution in Ubiquiti airMAX wireless devices (UBB, UBB-XG, UDB-Pro/UDB-Pro-Sector) allows adjacent network attackers to execute arbitrary code by exploiting a protocol vulnerability without authentication. Affected versions include UBB-XG 1.2.2 and earlier, UDB-Pro/UDB-Pro-Sector 1.4.1 and earlier, and UBB 3.1.5 and earlier. No patch is currently available, though vendors have released mitigation versions.
Timetics WordPress plugin (through 1.0.46) allows authentication bypass via alternate path, enabling unauthenticated admin access to the booking system.
NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. [CVSS 8.8 HIGH]
Open redirect vulnerability in Kanboard versions 1.2.48 and below allows attackers to bypass URL validation and redirect authenticated users to malicious websites through specially crafted URLs. Public exploit code exists for this vulnerability, which can be leveraged for phishing attacks and credential theft. The vulnerability is resolved in version 1.2.49.
Libsoup's NTLM authentication handler crashes when processing exceptionally long passwords due to a signed integer overflow in memory allocation calculations, affecting GNOME and applications relying on this library for network operations. An unauthenticated remote attacker can trigger a denial-of-service condition by sending specially crafted authentication requests. No patch is currently available.
Lobo WordPress theme (before 2.8.6) has blind SQL injection enabling unauthenticated database extraction.
Workreap WordPress plugin (through 3.3.6) has SQL injection enabling unauthenticated database extraction. A freelance marketplace plugin likely containing user PII and financial data.
WooCommerce Orders & Customers Exporter (through 5.4) has SQL injection enabling unauthenticated extraction of all order and customer data including payment details and personal information.
A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. [CVSS 8.5 HIGH]
devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. [CVSS 8.4 HIGH]
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. [CVSS 8.4 HIGH]
Titra time tracking software versions 0.99.49 and below contain a mass assignment vulnerability in their API that allows authenticated users to inject arbitrary fields into time entries through an unvalidated customfields parameter, enabling attackers to overwrite protected data such as user IDs, hours, and entry states. Public exploit code exists for this vulnerability which affects the integrity of tracked time data. The issue is resolved in version 0.99.50.