Critical SQL injection vulnerability in an internet-exposed service enabling unauthenticated extraction and manipulation of the entire database. CVSS 10.0 with scope change, EPSS 12.9% indicating high exploitation activity.
Sagemcom F@st 3686 cable modem/router has a buffer overflow in the IPP printing service that allows unauthenticated remote code execution via crafted HTTP requests. PoC available.
Sourcecodester Covid-19 Contact Tracing System 1.0 allows unauthenticated RCE through unrestricted PHP file upload in the user image functionality. PoC available.
orval (TypeScript API client generator) before 7.18.0 has code injection via OpenAPI specification summary fields in MCP server generation. Malicious API specs can inject arbitrary code into generated TypeScript. PoC available, patch available.
Appsmith before 1.93 allows attackers to control the Origin header value used as the base URL in password reset and email verification links. Attackers can redirect authentication tokens to their domain, enabling account takeover. PoC available, patch available.
GYM-MANAGEMENT-SYSTEM 1.0 has multiple SQL injection vulnerabilities in search and payment endpoints (member_search, trainer_search, gym_search, payment_search). PoC available.
Kashipara Online Exam System V1.0 has SQL injection in profile.php through five POST parameters (rname, rcollage, rnumber, rgender, rpassword). PoC available.
LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through the MCP stdio transport. A single API request is sufficient for root code execution. PoC available, patch available.
Acora CMS v10.7.1 uses a static, predictable password reset token. Attackers can replay this token to reset any user's password and take over their account, including admin accounts. Maximum CVSS 10.0 with scope change.
Automai Director v25.2.0 allows authenticated users to escalate to full administrative privileges with scope change (CVSS 9.9). Low-privileged users can take complete control of the automation platform.
TinyWeb HTTP Server before 1.98 has OS command injection via CGI ISINDEX query parameters. The query string is passed as command-line arguments to CGI executables through Windows CreateProcess(), allowing unauthenticated RCE. Patch available.
Automai BotManager v25.2.0 allows unauthenticated remote code execution via the BotManager.exe component due to improper certificate validation. Attackers can execute arbitrary code on systems running the bot management agent.
Broadcom DX NetOps Spectrum (23.3.6 and earlier) has unauthenticated OS command injection on both Windows and Linux platforms. As a network management system, compromise gives attackers visibility and control over the entire monitored infrastructure.
D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on its 433 MHz sensor channel. No rolling codes, authentication, or anti-replay protection – attackers can record and replay alarm/control frames to trigger false alarms or disable sensors.
Gym Management System PHP 1.0 has multiple SQL injection vulnerabilities across three files (submit_contact.php, secure_login.php, change_s_pwd.php) through seven parameters. Authentication bypass and data extraction possible.
Broadcom DX NetOps Spectrum (24.3.8 and earlier) exposes session tokens in URL query strings, enabling session hijacking through browser history, referer headers, or proxy logs.
ServiceNow AI Platform has a user impersonation vulnerability allowing unauthenticated attackers to impersonate any user and perform their authorized actions. ServiceNow has deployed patches to hosted instances and self-hosted updates are available.
DFIR-IRIS incident response platform before 2.4.24 allows authenticated users to delete arbitrary filesystem paths through mass assignment of the file_local_name field combined with path trust in the delete operation. Scope change with high integrity/availability impact. Patch available.