D-Link DIR-895L router has command injection in the DHCP daemon via the hostname parameter during lease renewal. Any device requesting a DHCP lease with a malicious hostname achieves root code execution on the router. PoC available.
Sangfor O&M Management System (through 3.0.8) has a second command injection in /isomp-protocol/protocol/getCmd, also via sessionPath. Public exploit with higher EPSS (1.2%) than the first vulnerability.
EDIMAX BR-6208AC V2 router allows command injection through the pppUserName field via system() without sanitization. PoC available.
Sangfor Operation and Maintenance Management System (through 3.0.8) has OS command injection in /isomp-protocol/protocol/getHis via the sessionPath parameter. Public exploit available, vendor unresponsive.
BeeS Software BET Portal has SQL injection in the login functionality, allowing unauthenticated attackers to bypass authentication and extract database contents. PoC available.
Unauthenticated command injection via the hostname field enabling remote code execution with CVSS 10.0 and scope change. A separate vulnerability from CVE-2025-64090.
Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compr...
Fastjson before 1.2.48 has a well-known autoType deserialization vulnerability enabling JNDI injection and RCE. Exploited in the wild since 2023 through GodzillaWebShell. Maximum CVSS 10.0 with scope change.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can...
Salesforce Uni2TS time series forecasting library (through 1.2.0) has a code injection vulnerability that allows leveraging executable code in non-executable files across all platforms.
Vivotek IP7137 camera ships without any admin password by default, and users are not informed they should set one. End-of-life product with no expected fix – all deployed cameras are likely exposed.
Frontend Admin by DynamiApps WordPress plugin (through 3.28.25) allows unauthenticated privilege escalation to administrator via insufficient role validation. Attackers can register as admins and take full control of the site.
Cross-site scripting in GitLab CE/EE (18.6 before 18.6.3 and 18.7 before 18.7.1) lets an unauthenticated attacker run arbitrary JavaScript in the browser of a logged-in victim who is lured to a specially crafted webpage, enabling session theft and actions performed as that authenticated user. The flaw carries a critical CVSS 9.6 with a scope change, reflecting impact that crosses from the vulnerable component into the victim's authenticated session. No public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the vendor-confirmed nature and HackerOne report indicate a credible, validated issue.
Frontend Admin by DynamiApps (through 3.28.25) also allows unauthenticated deletion of arbitrary posts, pages, products, taxonomy terms, and user accounts due to missing capability checks.