Modular DS WordPress plugin (through 2.5.1) has incorrect privilege assignment allowing unauthenticated privilege escalation. Maximum CVSS 10.0 with scope change, EPSS 6.8%.
enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Error object is exposed to sandboxed code, which can use its prototype chain to access the host Node.js runtime. Maximum CVSS 10.0 with scope change. PoC available, patch available.
FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fixed in 3.20.1.
FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC available.
FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt memory and crash the client. PoC available.
FreeImage 3.18.0 has a use-after-free in the TARGA plugin's loadRLE function. Processing a malicious TGA file can lead to code execution. PoC available.
BLUVOYIX exposes internal API documentation publicly, allowing attackers to discover and abuse internal functionality.
News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.
An Orchestrator service allows unauthenticated attackers to bypass MFA and create admin accounts without multi-factor authentication. This undermines the security of the entire authentication system.
BLUVOYIX admin APIs allow unauthenticated creation of admin users, enabling complete platform takeover.
BLUVOYIX platform has unauthenticated API access allowing full customer data extraction and platform compromise.
Integration Opvius AI for WooCommerce (through 1.3.0) has unauthenticated path traversal allowing arbitrary file download and deletion. No authentication, no nonce verification, no path validation.
Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execute without appearing in the allowlist, enabling environment poisoning and arbitrary command execution.