Skip to main content
CVE-2025-52694 CRITICAL POC THREAT Emergency

Critical SQL injection vulnerability in an internet-exposed service enabling unauthenticated extraction and manipulation of the entire database. CVSS 10.0 with scope change, EPSS 12.9% indicating high exploitation activity.

SQLi Iotsuite Starter Linux Docker Iot Edge Windows Iotsuite Growth Linux Docker Iotsuite Saas Composer +1
NVD
CVSS 3.1
10.0
EPSS
12.9%
CVE-2026-22200 HIGH POC PATCH THREAT Act Now

Arbitrary local file read in Enhancesoft osTicket 1.18.x (before 1.18.3) and 1.17.x (before 1.17.7) lets a remote unauthenticated attacker embed the contents of server-side files into an exported ticket PDF. By submitting a ticket whose rich-text HTML carries crafted PHP filter expressions, the attacker abuses the mPDF export path to render attacker-chosen files as bitmap images, disclosing sensitive data such as configuration files and credentials. Publicly available exploit code exists (Horizon3 'Ticket to Shell' research) and the EPSS score of 13.58% (94th percentile) reflects elevated near-term exploitation likelihood; there is no public exploit identified as active in CISA KEV.

PHP Osticket Information Disclosure
NVD GitHub
CVSS 4.0
8.7
EPSS
13.6%
CVE-2025-29329 CRITICAL POC Act Now

Sagemcom F@st 3686 cable modem/router has a buffer overflow in the IPP printing service that allows unauthenticated remote code execution via crafted HTTP requests. PoC available.

Buffer Overflow F St 3686 Firmware RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2025-66802 CRITICAL POC Act Now

Sourcecodester Covid-19 Contact Tracing System 1.0 allows unauthenticated RCE through unrestricted PHP file upload in the user image functionality. PoC available.

RCE Covid 19 Contact Tracing System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-22785 CRITICAL POC PATCH Act Now

orval (TypeScript API client generator) before 7.18.0 has code injection via OpenAPI specification summary fields in MCP server generation. Malicious API specs can inject arbitrary code into generated TypeScript. PoC available, patch available.

Command Injection RCE Orval
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22794 CRITICAL POC PATCH Act Now

Appsmith before 1.93 allows attackers to control the Origin header value used as the base URL in password reset and email verification links. Attackers can redirect authentication tokens to their domain, enabling account takeover. PoC available, patch available.

CSRF Appsmith
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-67146 CRITICAL POC Act Now

GYM-MANAGEMENT-SYSTEM 1.0 has multiple SQL injection vulnerabilities in search and payment endpoints (member_search, trainer_search, gym_search, payment_search). PoC available.

PHP SQLi Authentication Bypass Gym Management System
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-22812 HIGH POC PATCH This Week

Opencode versions up to 1.0.216 is affected by missing authentication for critical function (CVSS 8.8).

Authentication Bypass RCE AI / ML Opencode
NVD GitHub
CVSS 3.1
8.8
EPSS
2.6%
CVE-2025-51567 CRITICAL POC Act Now

Kashipara Online Exam System V1.0 has SQL injection in profile.php through five POST parameters (rname, rcollage, rnumber, rgender, rpassword). PoC available.

PHP SQLi Online Exam System
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-22252 CRITICAL POC PATCH Act Now

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through the MCP stdio transport. A single API request is sufficient for root code execution. PoC available, patch available.

Authentication Bypass AI / ML Librechat
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-22799 HIGH POC PATCH This Week

Remote code execution in Emlog v2.6.1 and earlier allows authenticated attackers to upload arbitrary files through an insufficiently validated REST API endpoint (/index.php?rest-api=upload), enabling malicious PHP execution on the server. Attackers can exploit this by obtaining valid API credentials through administrator access or information disclosure flaws, then uploading executable scripts to achieve full system compromise. Public exploit code exists for this vulnerability, and affected administrators should apply available patches immediately.

PHP RCE Information Disclosure Emlog
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-22771 HIGH POC PATCH This Week

Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attackers to extract proxy credentials and subsequently access the control plane and all associated secrets including TLS private keys. Public exploit code exists for this vulnerability. Affected organizations running vulnerable Envoy Gateway instances should immediately upgrade as no patch is currently available for intermediate versions.

Kubernetes Gateway Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2024-58339 HIGH POC PATCH This Week

Denial-of-service in LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 lets remote unauthenticated attackers exhaust CPU and memory through the VannaPack VannaQueryEngine. The engine's custom_query() converts a user-supplied natural-language prompt into SQL and runs it via vn.run_sql() with no execution limits, so a crafted prompt can produce an unbounded or extremely expensive query. Publicly available exploit code exists (Huntr bounty report), though EPSS is low at 0.12% (30th percentile) and it is not listed in CISA KEV.

Denial Of Service Llamaindex
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-15514 HIGH POC This Week

Denial of service in Ollama's multi-modal image processing (versions 0.11.5-rc0 through 0.13.5) lets remote attackers crash the model runner by POSTing crafted base64 image data to the /api/chat endpoint. The decoded data is passed to mtmd_helper_bitmap_init_from_buf without validating that it is valid media; the function returns NULL on malformed input and the unchecked pointer is dereferenced, triggering a segmentation fault that takes the model offline for all users until restart. Rated CVSS 4.0 8.7 (availability-only impact); publicly available exploit code exists via a Huntr bounty, but EPSS is low (0.09%, 25th percentile) and it is not on CISA KEV.

Denial Of Service Ollama
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-58340 HIGH POC PATCH This Week

Denial-of-service in LangChain versions up to and including 0.3.1 lets remote attackers exhaust CPU by feeding a crafted string into the MRKLOutputParser.parse() method, whose backtracking-prone regular expression exhibits catastrophic backtracking (ReDoS). Because MRKL agents parse LLM output to extract tool actions, an attacker who can influence that text - typically via prompt injection in downstream applications - can stall or hang the parsing thread. Publicly available exploit code exists (huntr bounty), though EPSS is low at 0.08% and it is not on the CISA KEV list.

Denial Of Service Langchain
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-14021 HIGH POC PATCH This Week

Arbitrary code execution in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 occurs when BGEM3Index.load_from_disk() calls pickle.load() on a multi_embed_store.pkl file read from an attacker-controlled persist_dir. A victim who loads a maliciously crafted index directory executes attacker-supplied code in their own process. Publicly available exploit code exists (huntr bounty submission), though EPSS is low (0.08%) and it is not listed in CISA KEV, so there is no public exploit identified as actively exploited.

Deserialization Llamaindex RCE
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-22788 HIGH POC PATCH This Week

WebErpMesV2 versions prior to 1.19 expose unauthenticated API endpoints that allow remote attackers to read sensitive manufacturing and business data including orders, quotes, and tasks without credentials. Public exploit code exists for this vulnerability, and attackers can additionally create company records and manipulate collaboration whiteboards. A patch is available in version 1.19 and should be applied immediately to restrict API access.

Authentication Bypass Wem
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2023-36331 HIGH POC This Week

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. [CVSS 8.2 HIGH]

Authentication Bypass Xmall
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-68472 HIGH POC PATCH GHSA This Week

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. [CVSS 8.1 HIGH]

Path Traversal AI / ML Mindsdb
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22804 HIGH POC This Week

Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary JavaScript by uploading malicious SVG files that bypass content sanitization. When a Termix user previews the crafted file, the payload executes within the application context with full access to sensitive operations. Public exploit code exists and no patch is currently available.

SSH XSS Termix
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-22776 HIGH POC PATCH This Week

cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decompressed HTTP request body sizes. An unauthenticated remote attacker can send a malicious gzip or brotli-compressed request that decompresses to an arbitrarily large payload in memory, exhausting server resources. Public exploit code exists for this vulnerability, and a patch is available in version 0.30.1 and later.

Denial Of Service Cpp Httplib Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22786 HIGH POC PATCH This Week

Gin-vue-admin versions 2.8.7 and earlier contain a path traversal vulnerability in the breakpoint resume upload API that allows authenticated attackers to write arbitrary files to any directory on the system. Public exploit code exists for this vulnerability, which affects administrators and users with file upload privileges. An attacker can bypass directory restrictions by injecting traversal sequences (../) into the fileName parameter to escape the intended fileDir location.

Golang Path Traversal Gin Vue Admin Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2025-66689 MEDIUM POC This Month

A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. [CVSS 6.5 MEDIUM]

Path Traversal Pal Mcp Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68471 MEDIUM POC PATCH This Month

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. [CVSS 6.5 MEDIUM]

Denial Of Service Avahi Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22813 MEDIUM POC PATCH This Month

OpenCode's markdown renderer fails to sanitize HTML input in LLM responses, allowing attackers who control the chat output to inject arbitrary JavaScript that executes in the localhost:4096 origin without Content Security Policy protections. Public exploit code exists for this cross-site scripting vulnerability, affecting users of the AI coding agent through versions prior to 1.1.10. An attacker can achieve session compromise or local code execution by manipulating LLM responses to inject malicious scripts.

XSS AI / ML Opencode
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22695 MEDIUM POC PATCH This Month

Libpng versions 1.6.51-1.6.53 contain a heap buffer over-read in the simplified API function png_image_finish_read when processing interlaced 16-bit PNG images with 8-bit output and non-minimal row stride, allowing local attackers to read out-of-bounds memory through a malicious image file. Public exploit code exists for this regression, which was introduced by a previous security fix. Upgrade to version 1.6.54 to remediate.

Buffer Overflow Libpng Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-63314 CRITICAL Act Now

Acora CMS v10.7.1 uses a static, predictable password reset token. Attackers can replay this token to reset any user's password and take over their account, including admin accounts. Maximum CVSS 10.0 with scope change.

Cm3 Acora Cms Information Disclosure
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-46066 CRITICAL Act Now

Automai Director v25.2.0 allows authenticated users to escalate to full administrative privileges with scope change (CVSS 9.9). Low-privileged users can take complete control of the automation platform.

Privilege Escalation Director
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-22781 CRITICAL PATCH Act Now

TinyWeb HTTP Server before 1.98 has OS command injection via CGI ISINDEX query parameters. The query string is passed as command-line arguments to CGI executables through Windows CreateProcess(), allowing unauthenticated RCE. Patch available.

Windows Command Injection Tinyweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-46070 CRITICAL Act Now

Automai BotManager v25.2.0 allows unauthenticated remote code execution via the BotManager.exe component due to improper certificate validation. Attackers can execute arbitrary code on systems running the bot management agent.

Authentication Bypass RCE Botmanager
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-69269 CRITICAL Act Now

Broadcom DX NetOps Spectrum (23.3.6 and earlier) has unauthenticated OS command injection on both Windows and Linux platforms. As a network management system, compromise gives attackers visibility and control over the entire monitored infrastructure.

Broadcom Linux Windows Command Injection Dx Netops Spectrum
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-65552 CRITICAL Act Now

D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on its 433 MHz sensor channel. No rolling codes, authentication, or anti-replay protection – attackers can record and replay alarm/control frames to trigger false alarms or disable sensors.

Information Disclosure Zx G12 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-67147 CRITICAL Act Now

Gym Management System PHP 1.0 has multiple SQL injection vulnerabilities across three files (submit_contact.php, secure_login.php, change_s_pwd.php) through seven parameters. Authentication bypass and data extraction possible.

PHP SQLi Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69270 CRITICAL Act Now

Broadcom DX NetOps Spectrum (24.3.8 and earlier) exposes session tokens in URL query strings, enabling session hijacking through browser history, referer headers, or proxy logs.

Broadcom Linux Windows Information Disclosure Dx Netops Spectrum
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-12420 CRITICAL Act Now

ServiceNow AI Platform has a user impersonation vulnerability allowing unauthenticated attackers to impersonate any user and perform their authorized actions. ServiceNow has deployed patches to hosted instances and self-hosted updates are available.

Privilege Escalation AI / ML Virtual Agent Api Now Assist Ai Agents
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22772 MEDIUM POC PATCH This Month

Fulcio versions prior to 1.8.5 allow unauthenticated attackers to bypass MetaIssuer URL validation through unanchored regex patterns, enabling blind SSRF attacks against internal services. Although the vulnerability is limited to read-only GET requests with no response exfiltration, attackers can probe internal networks to discover active services and infrastructure. Public exploit code exists for this medium-severity issue, and a patch is available in version 1.8.5.

SSRF Fulcio Red Hat Suse
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-22783 CRITICAL PATCH Act Now

DFIR-IRIS incident response platform before 2.4.24 allows authenticated users to delete arbitrary filesystem paths through mass assignment of the file_local_name field combined with path trust in the delete operation. Scope change with high integrity/availability impact. Patch available.

Information Disclosure Iris
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-0852 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminUpdateUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable unauthorized data access, modification, or deletion with confidentiality, integrity, and availability impact.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-0851 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 via the txtusername parameter in AdminAddUser.php enables unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-66939 MEDIUM POC This Month

Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file [CVSS 5.4 MEDIUM]

XSS 66biolinks
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-22033 MEDIUM POC PATCH This Month

Stored XSS in Label Studio's custom_hotkeys feature allows authenticated attackers to inject malicious JavaScript that executes in other users' browsers, potentially enabling API token theft and account takeover due to insufficient CSRF protections. Public exploit code exists for this vulnerability affecting Label Studio 1.22.0 and earlier. An attacker could abuse this to gain unauthorized API access or perform actions on behalf of compromised users.

XSS CSRF Label Studio
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0854 HIGH This Week

Merit LILIN DVR/NVR devices allow authenticated remote attackers to execute arbitrary operating system commands through command injection, enabling complete system compromise. An attacker with valid credentials can bypass application controls and gain full control over the affected device without user interaction. No patch is currently available for this vulnerability, leaving deployed systems at significant risk.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-46068 HIGH This Week

Director versions up to 25.2.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

File Upload RCE Director
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-69276 HIGH This Week

Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. [CVSS 8.8 HIGH]

Broadcom Linux Windows Deserialization Dx Netops Spectrum
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0855 HIGH This Week

Merit LILIN IP Camera models contain an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands on affected devices with high privileges. The vulnerability requires valid credentials but no user interaction, enabling complete compromise of device confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69274 HIGH This Week

Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. [CVSS 8.8 HIGH]

Broadcom Linux Windows Privilege Escalation Dx Netops Spectrum
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22784 MEDIUM POC PATCH This Month

Lychee photo management tool versions before 7.1.0 contain an authorization bypass in the album password unlock mechanism that allows authenticated users to access multiple password-protected albums by unlocking just one that shares the same password. Public exploit code exists for this vulnerability. Administrators should upgrade to version 7.1.0 or later to prevent unauthorized access to protected photo collections.

Authentication Bypass Lychee
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46067 HIGH This Week

An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file [CVSS 8.2 HIGH]

Authentication Bypass Director
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-71063 HIGH PATCH This Week

Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. [CVSS 8.2 HIGH]

TLS Errands
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-41078 HIGH This Week

Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents. [CVSS 8.1 HIGH]

Authentication Bypass Documents Documents Compose
NVD
CVSS 3.1
8.1
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy